Newly discovered router flaw being hammered by in-the-wild attacks

Online criminals—at least some of them wielding the notorious Mirai
malware that transforms Internet-of-things devices into powerful
denial-of-service cannons—have begun exploiting a critical flaw that may
be present in millions of home routers.

Routers provided to German and Irish ISP
customers for Deutsche Telekom and Eircom, respectively, have already
been identified as being vulnerable, according to recently published
reports from researchers tracking the attacks. The attacks exploit
weaknesses found in routers made by Zyxel, Speedport, and possibly other
manufacturers. The devices leave Internet port 7547 open to outside
connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning
by the SANS Internet Storm Center, honeypot servers posing as
vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in
Monday's post that exploits are almost certainly the cause behind an
outage that hit Deutsche Telekom customers over the weekend. In a Facebook update,
officials with the German ISP said 900,000 customers are vulnerable to
the attacks until they are rebooted and receive an emergency patch.
Earlier this month, researchers at security firm BadCyber reported that
the same one-two port 7547/TR-064 exploit hit the home router of a
reader in Poland. They went on to identify D1000 routers supplied by
Eircom as also being susceptible and cited this post
as support. The Shodan search engine shows that 41 million devices
leave port 7547 open, while about five million expose TR-064 services to
the outside world.

BadCyber researchers analyzed one of the
malicious payloads that was delivered during the attacks and found it
originated from a known Mirai command-and-control server.

"The unusual application of TR-064 commands to
execute code on routers has been described for the very first time at
the beginning of November, and a few days later a relevant Metasploit
module had appeared," BadCyber researchers wrote in a blog post. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."

All bases covered

To infect as many routers as possible, the
exploits deliver three separate exploit files, two tailored to devices
running different types of MIPS chips and a third that targets routers
with ARM silicon. Just like the Metasploit code, the malicious payloads
use the exploit to open the remote administration interface and then
attempt to log in using three different default passwords. The attack
then closes port 7547 to prevent other criminal enterprises from taking
control of the devices. The researchers wrote:

Logins and passwords are obfuscated (or
“encrypted”) in the worm code using the same algorithm as does Mirai.
The C&C server resides under timeserver.host domain name, which can
be found on the Mirai tracker list.
Also the pseudorandom algorithm to scan IPs... looks like [it is]
copied from Mirai source code. It looks like the author of the malware
borrowed the Mirai code and mixed it with the Metasploit module to
produce his worm.

The malware itself is really friendly as it
closes the vulnerability once the router is infected. It performs the
following command:

According to researchers at security firm
Kaspersky, the command-and-control servers are, interestingly, pointing
to IP addresses assigned to the US military.

"Since there is no Mirai related
infrastructure behind this network range, the bots will not receive any
further commands until the criminals behind this attack will change the
DNS records again," Kaspersky researchers wrote in a blog post published around the same time this article went live. "For sure, this is some kind of trolling from the criminals who conducted the attack."

People who want to lock down their routers and
have the necessary technical skills should reboot them and immediately
check to see if the devices are listening for incoming commands on port
7547. As mentioned above, most Mirai-infected devices will be locked
down and will display few indications of compromise, although frequent
reboots have been reported in a least some cases. Generally speaking,
IoT devices are disinfected each time they're restarted. A good practice
is to reboot them and immediately lock them down with a strong
password, or, better yet, to disable remote administration.